[cabfpub] Non-whitelisted email addresses used for DV issuing

Sigbjørn Vik sigbjorn at opera.com
Tue Mar 31 07:11:44 UTC 2015


Even if we don't think using email addresses for validation is a
vulnerability, let us not forget the other issue here. A number of
resellers (see quote below) list non-whitelisted emails as valid. If
these email addresses are usable (with any CA), we have a vulnerability.
Even if they aren't usable, we still have a PR problem, this looks bad
for the industry as a whole.

Could we please have clarification of the following:
1. Can resellers do their own domain verification, does the CA do this,
or does it depend?
2. What is the audit status of resellers as above?
3. Do CAs do any kind of check on resellers, e.g. have a look at their
web pages, and what they promise their customers?

On 30-Mar-15 16:55, Adriano Santoni - Actalis S.p.A. wrote:
> the reply I got from Will Dormann
> -----BEGIN QUOTE-----
> <http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf>
> <http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf>
> <https://www.thawte.com/assets/documents/guides/simplify-ssl-certificate-managem
> ent-enterprise.pdf>
> <http://host.dynamicwebhost.net/features/approvedemail.htm>
> <https://www.geocerts.com/api_spec.pdf>
> <http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SS
> L-certificate-order.html>
> <https://www.onestepssl.com/onestepssl_validation_process.php>
> <http://www.domainpurpose.com/ssl-faqs.htm>
> <http://kb.canvashost.com/?p=935>
> snip
> Or see variants of:
> <http://www.google.com/search?q="ssladmin%40yourdomain.com">

Sigbjørn Vik
Opera Software

More information about the Public mailing list